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The information systems audit report Strengthening Processes Related to IT Governance (11DP-13) was 
issued to the Committee in June 2012. The audit included three recommendations to the Department of 
Administration (department). In June 2013, we conducted follow-up work to assess implementation of the 
report recommendations. At that time, follow-up work was delayed due to organizational changes in the 
State Information Technology Services Division (SITSD). SITSD was contacted again in February 2014 
to finish assessing implementation of the recommendations. This memorandum summarizes the results of 
our follow-up work. 


Background 

The state should have strong and clearly defined policies and procedures to govern its information 
technology. The objective of this audit was to review the effectiveness of the Montana Information 
Technology Act (MITA) that was implemented in 2001. The audit noted MITA was effective, but could 
be strengthened and clarified in certain areas including IT planning, project management, and policy 
clarification. 


Audit Follow-up Results 
The following sections summarize the progress toward implementation of the report recommendations. 
Audit staff met with the State Chief Information Officer (CIO) and key personnel of SITSD to review 
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what work had been done to complete implementation. Various policy and procedure documents were 
reviewed as well. 


RECOMMENDATION #1 


We recommend the Department of Administration modify its agency information technology plan 
template and review process to ensure completeness and continuity. 


Implementation Status: Partially Implemented 


Since the audit, the new State CIO (appointed January 2013) identified the need for better IT planning 
throughout state agencies. A recognized information technology research and advisory company 
facilitated a process that combined industry best practices with the needs of the state to redefine the IT 
planning process. The State CIO met with a majority of agency CIO’s and obtained agreement on the 
sections that should be included in the plan. Through this, a new template with expectations was created 
as well as a timeline for all agencies to follow. Completion of all IT plan sections is mandatory. Project 
Management Office personnel within the department are responsible for reviewing agency IT plans to 
identify projects, possible impacts, and duplication. While this new process is intended to help ensure 
completeness, it is unclear if the new process will improve continuity. Agency initiatives are to be defined 
in IT plans. Once an initiative is funded, it becomes a project. Projects are managed through a completely 
separate process within the Project Management Office. According to SITSD personnel, initiatives are not 
carried through to subsequent IT plans and will only reappear in biennial IT reports after the projects are 
completed and included in the “accomplishments” section. Even though a new template and process have 
been defined, the department is currently in the midst of the IT planning process for the upcoming 
biennium. 


RECOMMENDATION #2 


We recommend the Department of Administration expand project management policy guidance 
and reporting procedures for state agencies. 


Implementation Status: Being Implemented 


In the original audit we noted project management policy did not include details or guidance for project 
managers. The Project Management Office has now defined guidelines within its website with documents 
and process charts. They are currently working on strengthening existing policy and getting more 
complete and consistent reporting from agencies. The department indicated that this policy review would 
be complete by July of 2014. There is also a new system in place to manage projects and add to the clarity 
of the project reporting process. 


RECOMMENDATION #3 


We recommend the Department of Administration clearly delineate information technology policies 
and formalize a systematic policy development process. 


Implementation Status: Being Implemented 


After the audit was issued, IT policy was incorporated into the Montana Operations Manual. As part of 
this process, IT policies were reduced down to less than twenty policies. After the new State CIO was 
appointed, old policies were re-established. SITSD has reviewed policies and developed an inventory. A 
new Enterprise Security Policy was implemented, and SITSD is now reviewing existing policies for 
absences, duplication, and need for clarification. The next step will be to complete this process for other 
IT policies. While reviewing policies, the differences between a policy and a standard is being redefined 
to help agencies better understand. It is expected this process will be done by the end of 2014. The policy 
development process includes the same steps as identified in our original audit, however, the process is 
now completed as part of the Montana Operations Manual workflow process. 
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